Описание
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
A flaw was found in LangChain. The ChatOpenAI.get_num_tokens_from_messages method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This issue allows an attacker to cause Server-Side Request Forgery (SSRF) by providing malicious image URLs in user input.
Отчет
To exploit this issue, an attacker needs to be able to provide a malicious image_url to a LangChain instance. However, the server responses are not returned to the attacker (blind SSRF), increasing the complexity of exploitation. Additionally, an attacker can cause the server to fetch large files, potentially resulting in a high consumption of bandwidth or CPU, causing a limited impact to availability but not a complete denial of service. Due to these reasons, this vulnerability has been rated with a low impact.
Меры по смягчению последствий
To mitigate this issue, manually validate that all image_url fields use the HTTP/HTTPS protocols, point to allowed public domains and do not resolve to internal IP addresses before passing messages to ChatOpenAI or any LangChain model.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-llama-stack-core-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
3.7 Low
CVSS3